3

I want to implement recaptcha in a very simple form I have a index.html file on client-side, and a post.php server side.

I've tried to integrate recaptcha on the server site, as you can see in my code bellow.

I've made some tests, that seem to have an expected result...

The problem appeard when I tried this query 

for X in `seq 0 100`; do curl -D - "http://example.com/post.php" -d
"email=email${X}%40example.com&tos=on&g-recaptcha-response[]=plm&submit="; done

The result was that I've bypassed recaptcha succesfully, and I'm not sure what the problem is.

Most probably, there's a problem in my php code, but what exactly?

post.php

<?php

    $email;$submit;$captcha;

    if(isset($_POST['submit']))
    {
      $email=filter_var($_POST['email'], FILTER_SANITIZE_EMAIL);
    }
    if(isset($_POST['g-recaptcha-response']))
    {
      $captcha=$_POST['g-recaptcha-response'];
    }
    if(!$captcha)
    {
      echo '<h2>Please check the the captcha form.</h2>';
      exit;
    }
    $response=file_get_contents("https://www.google.com/recaptcha/api/siteverify?secret=6Le[whatever[7_t&response=".$captcha."&remoteip=".$_SERVER['REMOTE_ADDR']);
    if($response.success==false)
    {
      echo '<h2>You are spammer ! Get the @$%K out</h2>';
    }
    else
    {
      $file = 'email-list.txt';

      if (filter_var($email, FILTER_VALIDATE_EMAIL)) 
        {
            if(!(exec('grep '.escapeshellarg($email).' '.$file))) 
            {           
                // Open the file to get existing content
                $current = file_get_contents($file);

                // Append a new person to the file
                $current .= $email . "\n";

                // Write the contents back to the file
                file_put_contents($file, $current);

                header('Location: index.html?success='.urlencode($email));
            }
            else
                header('Location: index.html?fail='.urlencode($email));
        } 
        else 
        {
            echo "$email is <strong>NOT</strong> a valid email address.<br/><br/>";
        }
    }
?>

index.html

...
<div class="form-group" ng-cloak>
    <div class="g-recaptcha" ng-show="IAgree" data-sitekey="6LeEW[whatever]-UXo3"></div>
</div>
...

How can I solve this? English is not my native language; please excuse typing errors.

Gerald Hughes
  • 5,771
  • 20
  • 73
  • 131
  • 1
    You need to `json_decode` the response from file_get_contents – Flukey Oct 23 '15 at 12:19
  • @Flukey , thanks for your comment, but I'm not sure I know what you mean... aren't the conditions the problem? – Gerald Hughes Oct 23 '15 at 12:24
  • 1
    `$response.success` will not exist because `file_get_contents` returns a string and not an object. You need to decode the JSON string into a PHP object before you can call `$response.success` EDIT: Should be `$response->success` not `$response.success` – Flukey Oct 23 '15 at 12:25
  • 1
    `$response.success==false` isn't syntactically valid. Are you sure you're able to run this code without any errors? [Enable error reporting](http://stackoverflow.com/a/6575502/1438393) first. – Amal Murali Oct 23 '15 at 12:26
  • 1
    @Flukey: That would only [result in a fatal error](https://eval.in/455953) – Amal Murali Oct 23 '15 at 12:27
  • @AmalMurali I get this notice, Notice: Use of undefined constant success - assumed 'success' in /home/example.com/public_html/post.php on line 23 test@test is NOT a valid email address. – Gerald Hughes Oct 23 '15 at 12:30
  • @stefan - `$response = json_decode(file_get_contents("https://www.google.com/recaptcha/api/siteverify?")); if($response->success == false) { echo "Oh no"; }` – Flukey Oct 23 '15 at 12:35
  • @Flukey works as a charm, if you post your answer, I will accept it. Thanks! – Gerald Hughes Oct 23 '15 at 12:47

1 Answers1

3

As mentioned in my comments above - file_get_contents returns a string. You need to decode the json string into a php object using the json_decode function:

$url = "https://www.google.com/recaptcha/api/siteverify?"‌
$response = json_decode(file_get_contents($url​)); 
if($response->success == false) {
    echo "Oh no"; 
}
Flukey
  • 6,445
  • 3
  • 46
  • 71